Hello, I have a server with 5 public facing ips, and one OpenVPN tun connection. The 5 ips are all from the same provider and face the same gateway. I would eventually like to route all of one user's traffic to and from the VPN while leaving the rest of the server's traffic untouched. There is no local lan, and the firewall is also the server -- everything resides on $FW.
I have tried this from a number of angles, so I setup a VMWare machine
to run a limited test before migrating it to the full scale server. I
am testing using "ping -I tun0 google.ca" and "ping google.ca", where
the first one should route to and from tun0 only, and the second to
and from eth0 only (by default). tun0 will always be assigned the
static ip of 10.88.0.6 and eth0 always 192.168.217.128. The tunnel has
been sucessfully tested and monitored using tshark on both ends of the
tunnel, and on all interfaces (both tun* and eth* at each side). Below
is version information, the commands that successfully work WITHOUT
shorewall being installed at all, and attached is a dump of all config
files as well as a "shorewall dump". Thanks for your help, hopefully
this is easier than I find it to be thus far.
Version information!
root@ubuntu ~ # shorewall version
4.4.20.3
root@ubuntu ~ # uname -a
Linux ubuntu 2.6.38-8-generic #42-Ubuntu SMP Mon Apr 11 03:31:24
UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
root@ubuntu ~ # cat /etc/issue
Ubuntu 11.04
---------------
Now then, the following commands make this work, but I do not know how
to integrate this into shorewall. This is what I suppose my real
question is! I am wrong to assume that this can be carefully put into
shorewall's config files? As follows...
ip route add 192.168.217.0/24 dev eth0 src 192.168.217.128 table ISP
ip route add default via 192.168.217.2 table ISP
ip route add 10.88.0.0/24 dev tun0 src 10.88.0.6 table VPN
ip route add default via 10.88.0.5 table VPN
ip route add 192.168.217.0/24 dev eth0 src 192.168.217.128
ip route add 10.88.0.0/24 dev tun0 src 10.88.0.6
ip route add default via 192.168.217.2
ip rule add from 192.168.217.128 table ISP
ip rule add from 10.88.0.6 table VPN
In addition, the following has been added to /etc/iproute2/rt_tables,
although ISP is unused...
1 ISP
2 VPN
This yeilds the following...
root@ubuntu ~ # shorewall show routing
Shorewall 4.4.20.3 Routing at ubuntu - Sat Jul 2 21:21:03 PDT 2011
Routing Rules
0: from all lookup local
32764: from 10.88.0.6 lookup VPN
32765: from 192.168.217.128 lookup ISP
32766: from all lookup main
32767: from all lookup default
Table default:
Table ISP:
192.168.217.0/24 dev eth0 scope link src 192.168.217.128
default via 192.168.217.2 dev eth0
Table local:
broadcast 127.255.255.255 dev lo proto kernel scope link src 127.0.0.1
local 192.168.217.128 dev eth0 proto kernel scope host src
192.168.217.128
local 10.88.0.6 dev tun0 proto kernel scope host src 10.88.0.6
broadcast 192.168.217.0 dev eth0 proto kernel scope link src
192.168.217.128
broadcast 192.168.217.255 dev eth0 proto kernel scope link src
192.168.217.128
broadcast 127.0.0.0 dev lo proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo proto kernel scope host src 127.0.0.1
Table main:
10.88.0.1 via 10.88.0.5 dev tun0
10.88.0.5 dev tun0 proto kernel scope link src 10.88.0.6
192.168.217.0/24 dev eth0 proto kernel scope link src 192.168.217.128
10.88.0.0/24 dev tun0 scope link src 10.88.0.6
default via 192.168.217.2 dev eth0
default via 192.168.217.2 dev eth0 metric 100
Table VPN:
10.88.0.0/24 dev tun0 scope link src 10.88.0.6
default via 10.88.0.5 dev tun0
Best Regards,
Tyler
dump.tar.gz
Description: GNU Zip compressed data
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
